TLDR: What is GDPR in simple terms? GDPR is EU law that treats personal data as "loaned" to businesses, not owned by them.
In Spain, businesses must comply with both GDPR and LOPDGDD, which is a stricter Spanish law that adds requirements like mandatory data blocking, lower age of consent (14), and compulsory Data Protection Officer (DPO) appointments for specific sectors.
Key principle: Organisations must prove they're protecting data properly, or they're holding it unlawfully.
What is GDPR in simple terms? This question matters more than ever for businesses operating in Spain, particularly English-speaking expat companies and British firms navigating the Spanish market. The answer isn't as straightforward as you might hope, because understanding GDPR in Spain means understanding two interconnected legal frameworks: the European Union's General Data Protection Regulation and Spain's own Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).
If your business collects email addresses for newsletters, processes customer payments, tracks website visitors with cookies, or maintains employee records in Spain, you're subject to what is arguably Europe's strictest data protection regime. Unlike the UK or other EU countries that implemented GDPR with minimal additions, Spain went significantly further. The Spanish legislator didn't just transpose European requirements, it enhanced them, creating obligations that go beyond what the standard GDPR demands.
This isn't bureaucratic overreach. Data protection in Spain is anchored in Article 18.4 of the Spanish Constitution, which guarantees citizens' right to privacy against the misuse of technology. What began as a constitutional principle evolved into one of Europe's most rigorous enforcement environments, overseen by the notoriously active Agencia Española de Protección de Datos (AEPD).
In this article, you'll learn what GDPR means in practical terms, how Spain's LOPDGDD creates additional obligations, and what specific actions your business must take to operate lawfully in Spain.
At its heart, what is GDPR in simple terms? The General Data Protection Regulation operates on a principle of "loaned custody." This is the clearest way to understand the fundamental shift GDPR created: organisations do not own the personal data they hold about individuals, they are merely borrowing it.
Before GDPR, the European data protection landscape was fragmented. Each country had its own rules, and businesses largely operated on a "registration" model: tell the government you're keeping files, pay a fee, and carry on. GDPR replaced this with a unified European standard and, critically, shifted to an "accountability" model. Now, businesses don't just notify authorities, they must proactively prove they're managing data risks appropriately.
To lawfully borrow someone's personal data, organisations must meet four strict conditions:
If your organisation cannot prove it is meeting these four conditions for every piece of personal data it processes, you're not just non-compliant, you're holding that data unlawfully. This accountability burden is the defining characteristic of modern data protection law.
While GDPR provides a unified European baseline, the regulation contains "opening clauses" that allow Member States to specify certain aspects. Spain exercised this prerogative comprehensively through the LOPDGDD, which came into force alongside GDPR in May 2018.
The LOPDGDD accomplishes three critical objectives:
Adaptation: It harmonises Spanish law with GDPR, formally repealing the previous data protection law (LOPD 15/1999) that had governed since 1999.
Clarification: It resolves ambiguities in GDPR by setting specific national standards where the European regulation allowed flexibility.
Innovation: It introduces Title X, a pioneering "Bill of Digital Rights" that addresses labor relations, digital inheritance, and social issues in the internet era, topics the GDPR doesn't explicitly cover.
For businesses operating in Spain, several key divergences from standard GDPR implementation create unique obligations:
| Requirement | Standard EU GDPR | Spanish LOPDGDD | Impact on Your Business |
|---|---|---|---|
| Age of Digital Consent | 16 years (Member States can lower to 13) |
14 years | If your website or service targets teenagers, you need parental consent for users under 14, not under 16. Age verification systems must be calibrated accordingly. |
| Deceased Persons' Data | Generally does not apply to the deceased | Heirs have rights to access, rectify, and delete | Family members can request access to a deceased person's data unless the deceased explicitly prohibited it. Estate planning and data handling protocols must account for this. |
| Data Deletion | "Right to erasure" (delete the data) | "Bloqueo" (blocking) required first | You cannot immediately destroy data when deletion is requested. Data must first be placed in a restricted, archived state for 4-5 years to satisfy legal liability periods, then physically destroyed. |
| DPO Appointment | Required based on core activities and scale of processing | Mandatory for 16 specific sectors regardless of size | Schools, language academies, security firms, health services, and 12 other sectors must appoint a Data Protection Officer even if they're small operations. This catches many expat businesses by surprise. |
| Credit Reporting | General legitimate interest framework | €50 minimum debt threshold | You cannot include someone in credit default databases (like ASNEF) if the principal debt is less than €50. Strict notification requirements also apply. This prevents "blacklisting" for trivial amounts. |
| Digital Rights at Work | Not explicitly covered | Right to Digital Disconnection, device usage policies | Employers must negotiate protocols ensuring employees can disconnect from work communications outside working hours. Video surveillance cannot record audio or cover break rooms. |
To answer "what is GDPR in simple terms," you must understand the seven principles that underpin every lawful data processing activity. These aren't suggestions or best practices, they're legal requirements. Violating a principle is classified as a "Very Serious Infringement" under the LOPDGDD, carrying fines up to €20 million or 4% of global annual turnover, whichever is higher.
Every data processing activity must have a valid legal basis. The GDPR provides six lawful bases, but for most businesses, two dominate: consent and legitimate interest.
Consent in the GDPR era means affirmative action. The days of pre-ticked boxes or implied consent from silence are over. Consent must be:
Spain's enforcement history shows the AEPD scrutinises consent mechanisms closely. Businesses have been fined for using confusing double negatives in consent forms or bundling non-essential data processing with service access.
Transparency requires privacy policies written in plain, accessible language. In Spain, the preferred format is "layered" information:
This layered approach ensures people can quickly grasp the essentials without wading through pages of legalese.
Data collected for one purpose cannot be repurposed for another incompatible purpose without new legal basis (usually fresh consent).
This principle causes frequent violations. A common scenario: A Spanish language academy collects email addresses to send course enrollment confirmations (administrative purpose). Later, the academy starts sending promotional emails about new courses (marketing purpose). Without obtaining separate marketing consent, this constitutes unlawful repurposing.
The AEPD has consistently ruled that administrative and marketing purposes are distinct. Your initial legitimate interest or consent for one does not extend to the other.
You must only collect data that is strictly necessary for your stated purpose. This principle forces businesses to justify every data field they request.
Ask yourself: Does your contact form truly need the person's date of birth? Their postal address if you only communicate via email? Their gender for a newsletter subscription? If you cannot articulate a genuine, specific need for a data point, you shouldn't collect it.
The AEPD has issued significant fines for data minimisation violations, including a notable €10 million penalty to AENA (the Spanish airport operator) for excessive data collection from employees.
You must keep personal data accurate and up to date. When someone informs you of an error, you have an obligation to correct it promptly.
This ties to the Right to Rectification, one of the fundamental data subject rights. If a customer tells you their email address has changed, you cannot continue using (and potentially sharing with processors) the outdated address.
Data cannot be kept longer than necessary for the purpose it was collected. "Just in case we need it later" is not a valid retention justification.
Spain's unique requirement here is "bloqueo" (blocking). Unlike standard GDPR erasure, Spanish law requires a two-stage deletion process:
This means your systems need three data states: active, blocked, and destroyed. A simple "delete" button is insufficient for Spanish compliance.
You must implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage.
"Appropriate" is risk-based. Processing health data or financial information requires stronger measures than processing newsletter subscriptions. At a minimum, Spanish businesses should implement:
Spain's LOPDGDD Article 5 extends the confidentiality obligation explicitly, noting that it persists even after someone's employment or contractual relationship ends. Former employees cannot disclose information they accessed during their work.
This is GDPR's most demanding principle. You must be able to prove compliance with all the other principles. Documentation is everything.
Accountability requires:
The burden of proof sits entirely with the organisation. If the AEPD investigates, "we thought we were compliant" means nothing without documentation to back it up.
Understanding what GDPR is in simple terms also means knowing what rights it grants to individuals. In Spain, these are often referred to as the ARCO-POL rights, an acronym covering the six fundamental rights:
Access: You can request to see what personal data an organisation holds about you, how it's being used, where it came from, and who it's been shared with. Organisations must respond within one month (extendable by two more months if the request is complex) and cannot charge a fee unless the request is manifestly unfounded or excessive.
Important Spanish clarification: The right of access applies to the personal data being processed, not necessarily to full copies of documents containing that data. Organisations can provide the data in summarised form, though providing document copies is often the most practical approach.
Rectification: You can require organisations to correct inaccurate personal data. If you've moved house, changed your name, or find errors in your records, organisations must update their systems when you notify them.
Cancellation/Erasure: Often called the "right to be forgotten," this allows you to request deletion of your personal data when it's no longer necessary for the purpose it was collected, when you withdraw consent, or when it was processed unlawfully.
In Spain, remember the blocking requirement: Organisations cannot immediately destroy your data. They must first place it in restricted storage for the applicable limitation period before physical destruction.
Objection: You can object to processing based on legitimate interest or for direct marketing purposes. When you object to marketing, organisations must stop immediately. Objections to legitimate interest processing require the organisation to demonstrate compelling grounds that override your interests. Find out about the Robinson list in and how to stop spam marketing in Spain.
Portability: You can request your personal data in a structured, commonly used, machine-readable format and transmit it to another organisation. This right only applies to data you provided directly and that is processed by automated means based on consent or contract.
Limitation: You can request that organisations restrict processing of your data in specific circumstances, for example, while they verify the accuracy of data you've challenged, or while determining whether legitimate grounds override your objection.
All these rights must be exercisable free of charge. Organisations cannot charge you for accessing your data or correcting errors (unless requests are clearly unreasonable or repetitive).
For English-speaking businesses operating in Spain, GDPR and LOPDGDD compliance requires specific, concrete actions. Here's what you must do:
Every website tracking visitors must obtain consent before placing non-essential cookies. Spain requires:
The AEPD has been particularly strict about cookie compliance, issuing fines to organisations that use "cookie walls" (blocking access unless visitors accept all cookies) or that place cookies before consent is obtained.
Your privacy policy must use the layered approach:
First layer (immediately visible): A concise table or statement covering:
Second layer (linked): The full legal policy with comprehensive details about legal bases, international transfers, security measures, and detailed rights information.
Spanish-specific disclosures should include:
You must have a system to handle requests for access, rectification, erasure, and other rights. This system should:
Many businesses establish a dedicated email address (e.g., dataprotection@yourcompany.es) and assign responsibility to a specific person or the DPO.
Spain's Article 34 of the LOPDGDD requires mandatory DPO appointments for 16 specific sectors, regardless of organisation size:
If your business falls into any of these categories, you must appoint a DPO. This catches many expat-run language schools and tutoring services by surprise, in Spain, educational services require a DPO regardless of size.
The DPO can be an employee or an external service provider, but must have expert knowledge of data protection law and cannot have conflicts of interest (e.g., the DPO cannot also be the CEO).
If your business reports unpaid debts to credit reference agencies or maintains customer solvency records, Spain's strict rules apply:
Spanish businesses must implement:
Digital disconnection protocols: Formal policies, ideally negotiated with employee representatives, establishing employees' right to disconnect from work communications outside working hours. This isn't merely a suggestion, it's a legally mandated right in Spain.
Video surveillance limitations: Workplace cameras cannot:
Device usage policies: Clear rules about personal use of company devices and company access to employee devices used for work purposes.
Assuming UK GDPR compliance equals Spanish compliance: The UK's post-Brexit GDPR implementation (UK GDPR) differs from LOPDGDD. Spain's stricter requirements around blocking, DPO appointments, and credit reporting won't be reflected in UK compliance frameworks.
Ignoring the age 14 threshold: UK businesses accustomed to the age 13 threshold may inadvertently process data from 13-year-olds without parental consent, which is unlawful in Spain.
Not implementing blocking systems: Simply deleting data when requested violates Spanish law. Your systems need the capability to archive data in a restricted state.
Missing mandatory DPO requirements: The biggest shock for small UK businesses is discovering their language school or tutoring service legally requires a DPO in Spain when no such requirement existed in the UK.
Repurposing Brexit-era international transfer mechanisms: Data transfers between Spain and the UK now require adequacy decisions or Standard Contractual Clauses, adding complexity not present when the UK was in the EU.
The AEPD is not a passive regulator. Spain's data protection authority issues thousands of sanctions annually and maintains one of Europe's highest enforcement rates.
Read our article and find out exactly what the AEPD is and what they do.
Fines operate on a tiered system:
Recent enforcement actions demonstrate the AEPD's willingness to act against all organisation sizes:
However, the AEPD also recognises the Spanish economy is dominated by SMEs and freelancers. The agency provides extensive free resources, including:
The message is clear: the law applies to everyone, but support is available for those making genuine efforts to comply.
So, what is GDPR in simple terms for a business operating in Spain? It's a fundamental reframing of the relationship between organisations and personal data. Data doesn't belong to the businesses that collect it, it belongs to individuals, and organisations are merely temporary custodians operating under strict conditions.
In Spain, those conditions extend beyond the baseline European requirements. The LOPDGDD creates a dual compliance environment where businesses must satisfy both GDPR's accountability model and Spain's additional specifications: lower age thresholds, mandatory data blocking, sector-specific DPO requirements, strict credit reporting rules, and pioneering digital workplace rights.
The practical implications are significant but manageable. Start with the basics:
For English-speaking businesses, particularly those expanding from the UK, don't assume your existing GDPR compliance translates directly to Spain. The LOPDGDD creates obligations that go beyond what you may have implemented under UK GDPR.
Data protection in Spain is not a one-time compliance exercise, it's an ongoing operational requirement. The AEPD's aggressive enforcement and Spain's constitutional protection of privacy mean that cutting corners carries real legal and financial risks. But for businesses willing to take the requirements seriously, compliance is achievable, and the free resources available from the AEPD provide substantial support.
The data privacy landscape has fundamentally shifted. In Spain more than perhaps anywhere else in Europe, that shift is enforced with rigor. Understanding what GDPR means in simple terms, and how the LOPDGDD builds upon it, is no longer optional for any business processing personal data in Spain.
Disclaimer: This article provides general informational guidance on GDPR and LOPDGDD requirements and should not be considered legal advice. Data protection compliance is complex and fact-specific. The information presented does not create a professional relationship between ANRO Privacy and readers. For specific compliance questions related to your business circumstances, consult a qualified Data Protection Officer or legal professional specialising in Spanish data protection law.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.